sec(cd): attest release provenance

Author: josimar-silva

.github/workflows/cd.yaml

@@ -55,6 +55,8 @@ jobs:
 
     permissions:
       contents: write
+      id-token: write
+      attestations: write
       actions: read
 
     env:
@@ -90,6 +92,11 @@ jobs:
           tar -czvf blog-${{ env.RELEASE_VERSION }}.tar.gz -C dist .
           shasum -a 512 blog-${{ env.RELEASE_VERSION }}.tar.gz > blog-${{ env.RELEASE_VERSION }}.tar.gz.sha512
 
+      - name: Attest release provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: '${{ github.workspace }}/blog-${{ env.RELEASE_VERSION }}.tar.gz'
+
       - name: 🔖 Create Git Tag
         run: |
           git config user.name "radagastbot[bot]"